It was the U.S. Food and Drug Administration’s (FDA) worst nightmare come true.

On May 12, the WannaCry ransomware cryptoworm slithered its way into computers worldwide, infecting as many as 200,000 Microsoft Windows systems in 150 countries, including interfaces at 48 U.K. hospital trusts and an untold number of U.S. facilities.

Hospitals, of course, are not immune to computer hacks. In fact, more than 113 million personal health records were compromised in 2015, roughly nine times as many as the prior year, according to provider data reported to the U.S. Department of Health and Human Services.

The WannaCry worm, however, wasn’t limited to hospital computers. It also infected medical devices.

Quoting an unnamed “source,” Forbes reported the WannaCry attack affected a Bayer Medrad device in an unnamed U.S. hospital. The source could not confirm the specific model infected, but the magazine surmised the product to be a device used to monitor a “power injector,” which helps deliver a contrast agent to patients. Such agents are composed of chemicals that help improve the quality of magnetic resonance imaging scans.

A Bayer spokesperson confirmed the ransomware’s device contamination, telling Forbes the company received two reports from U.S. customers about its infected medical products. “Operations at both sites were restored within 24 hours,” the spokesperson said, declining to specify the product(s) or location(s) affected. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”

Five days after the WannaCry attack began (and two days after its “accidental” demise), Bayer posted an advisory on its website about potentially compromised Windows networks and provided recommendations to customers about installing corrective or preventative measures. The company identified its vulnerable medical devices: the Medrad Stellant and Medrad MRXperion control room units (Certegra Workstations), Certegra and VirtualCare devices, Medrad Intego RDMS, and Certegra Connect, CT.

The company began deploying a Microsoft security patch for the ransomware on May 19, and instructed customers a week later to restart their Medrad Stellant control room unit (Certegra Workstation) if the systems were connected to Virtual Care Remote Support.

Although WannaCry’s impact on patient health remains unclear, the Bayer infections are nevertheless concerning because they represent the first known instance of ransomware directly affecting the operation of a medical device—a problem the FDA has been preaching about for years. In 2015, the agency issued a cybersecurity alert about Hospira Inc.’s Symbiq infusion pumps, citing security vulnerabilities that potentially could allow “unauthorized access” to the devices and prevent them from properly functioning.

And just a month before the WannaCry attack, the FDA threatened Abbott Laboratories with regulatory action over safety and security issues in a remote cardiac monitoring system developed by St. Jude Medical Inc. (the two companies finalized their $25 billion merger earlier this year). In an April 12 warning letter, the agency accused St. Jude Medical of failing to properly investigate problems with both the batteries in its Merlin implantable defibrillators and the cybersecurity of its at-home monitoring equipment.

The letter gave Abbott Labs 15 days to submit a plan to address errors in the products’ designs that could allow hackers to tamper with the settings and drain the batteries or administer inappropriate pacing or shocks.

“...cybersecurity threats are real, ever-present, and continuously changing,” Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, wrote in an agency blog post late last year. “In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.”

Comforting thought.

In sounding the alarm bell on cybersecurity, the FDA released recommendations late last year on ways device manufacturers can maintain the safety of Internet-connected products, even after they have entered hospitals, patients’ homes, or the human body. First issued in draft form in January 2016, the 30-page guidance encourages companies to ensure device cybersecurity throughout the product lifecycle. It recommends manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

The agency also suggests that companies devise ways to monitor and detect cybersecurity vulnerabilities in their devices; understand, assess, and detect the level of risk a vulnerability poses to patient safety; work with cybersecurity researchers and other stakeholders to improve communication about potential vulnerabilities; and deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm.

“Digital connections power great innovation—and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve healthcare can increase cybersecurity risks,” Schwartz wrote in her blog post. “This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides, but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.”

Related Columns

Medical device regulations are changing rapidly, and companies have limited time to comply.
The deadline for ISO 13485:2016 is March 1, 2019, so organizations have just over a year to comply. Up until February 2018, organizations were able to be a…

MassMEDIC is the largest regional medical device association in the United States, with member companies ranging from the largest to the smallest medical technology innovators. The MassMEDIC Medtech Showcase, held in October every year, is a meeting…

In a year of political and social discord, international conflict, and natural disasters, the big news in the medical device industry really didn’t make headlines—even within our sector. But as 2017 comes to a close, I consider fee hikes,…

MedtechVision2017 isn’t your average “women in medtech” meeting. The founders (www.medtechwomen.org) demand (and receive) the best content from their all-volunteer team of meeting planners and visionaries. This year’s event&md…

Industry leaders are required to keep up with change. In regulated industries like the life sciences, ensuring the safety of all products—and therefore, the public—is a main priority. Change is the necessary component driving continuous i…

Most discussions on packaging validations for medical devices begin and end with ISO 11607: Packaging for Terminally Sterilized Medical Devices, and are laden with interpretations of how the two parts of this standard apply best to the unique aspects…

I’m a huge fan of lists. Covering every base with an organized way to track everything from my companies’ financial progress to whether the Doritos made it into the car for the drive home from school keeps me functioning. I note things on…

There’s something about hitting the prototype stage of the development cycle that makes everything finally seem real. This is the point at which there is finally an object to hold in your hands—a physical representation of the vision, inv…

Necessity is the mother of invention. Although often attributed to Plato and appearing in certain translations of his Republic, this well-known proverb more likely evolved from an early 1500s Latin textbook of everyday sayings that included the phras…

Serialization and traceability within the life sciences industry have been around since the early 2000s. However, in order to reduce complexities, counterfeiting, and theft, efforts are being made this year to focus on serialization, tracking, and tr…

The wearables market is expected to reach over $4 billion in 2017.1 If that doesn’t paint the picture for a bright future, consider this: one in six consumers currently own and use wearable tech.2 Clearly, the wearables market is exploding and…

Chances are the 21st-century tricorder will look radically different than its fictional 2260s-era counterpart.
Foremost, it won’t be as large or bulky as the Hollywood version, nor will it resemble an old-fashioned radio or small portable te…

It was a lot to take in running on about five hours of sleep following an international flight complete with a lost luggage cliché. Representatives from multiple agencies—governmental, regulatory, medical device companies, hospital purch…